Page created: 10 Jan 2020
|
Page updated: 8 Feb 2022
| 2 min read
Standards, specifications, and protocols X.509 Other Documents Integrations Language English Integration Content Type Product documentation Audience Administrator
Configure the X.509 Certificate IdP Adapter to determine how PingFederate handles X.509 certificates.
- Sign on to the PingFederate administrative console.
- On the Identity Provider > Manage IdP Adapter Instances screen, click Create New Instance.
-
On the Type screen, set the basic adapter instance
attributes.
- In the Instance Name field, enter a name for the adapter instance.
- In the Instance ID field, enter a unique identifier for the adapter instance.
- In the Type list, select X.509 Certificate IdP Adapter. Click Next.
- Optional:
On the IdP Adapter screen, in the Constrain
Acceptable Root Issuers section, specify the certificate
authorities (CA) that you want to use to validate end-user X.509
certificates.
Note: Client certificates are always validated against all trusted CAs in PingFederate and the Java Virtual Machine. This section only restricts which issuers are used to validate end-user certificates.
- Click Add a new row to 'Constrain Acceptable Root Issuers'.
- In the Issuer DN field, enter the subject distinguished name (DN) of an issuer listed on the Trusted CAs screen in PingFederate. For more information, see Manage trusted certificate authorities in the PingFederate documentation.
- In the Action column, click Update.
- To add more acceptable issuers, repeat steps a-c.
- On the IdP Adapter screen, configure the adapter instance by referring to X.509 Certificate IdP Adapter settings reference. Click Next.
-
On the Extended Contract screen, add any attributes,
that you want to include in the extended contract. Enter attributes in
uppercase. Only attributes specified in RFC 2253 are allowed: CN,
L, ST,
O, OU,
C, STREET,
DC, and UID.
Note: You can include subject DN components in this list.
If you selected Parse Client Cert Subject and Issuer DNs on the IdP Adapter screen, you can also include the subject DN
For issuer DN components, prefix the attribute with issuer_, such as issuer_CN.email
component, as well as issuer DN components. - Complete the adapter configuration.
- On the Summary screen, check that the configuration is correct. Click Done.
- On the Manage IdP Adapter Instances screen, click Save.
-
If you configured the Client Auth Hostname field, in
<pf_install>/pingfederate/server/default/data/config-store/session-cookie-config.xml,
add your domain with a preceding period the to
<c:item name="cookie-domain"></c:item>
, such as<c:item name="cookie-domain">.example.com</c:item>
.